As part of the Information Security Testing Team; the Senior Information Security Tester is responsible for delivering appropriate Security Testing of Products during delivery and as required during the end to end product lifecycle. This will include Penetration Testing and as part of the Secure Software Development Lifecycle; code review, infrastructure scanning and web application scanning.
We will expect you to have finely honed Stakeholder Management skills, including working with BAU Teams, Programme/Project teams, Agile delivery teams, developers, infrastructure engineers, DevOps teams and other Information Security Teams to ensure that IT Products are tested to ensure continual compliance with legal requirements and Information Security policies and standards.
What I need to do
The Senior Information Security Tester will be engaged in delivering Penetration Testing Services i.e.
Manage internal security assurance for internally developed applications within a DevOps environment
Scope penetration testing for both internal and external facing applications Manage external resources to ensure that penetration testing is carried out to a suitable standard on time and within budget
Manage the internal vulnerability scanning programme to ensure that scans are planned and carried out in a timely manner
Responsible for performing internal security testing, including detailed and actionable reporting
Responsible for ensuring that vulnerabilities identified via internal scanning programme, Internal or external penetration testing are suitably mitigated and any residual risks are documented and formally accepted
Conduct Information Security Risk Assessments using the Information Security Risk Management Process
Ensures the benefits of Information security and concept of risks is understood by all colleagues
Pro-actively manages security risk assessments and mitigation plans to address risks within agreed timescales, evaluating business impact
Provides advice and guidance associated with the planning, design, implementation and improvement of system security taking account of current best practice, legislation and regulation
Ensures all Product Teams consider the security implications throughout the product lifecycles
Security risks are identified early on and catered for in the solution design and that the resulting implementation addresses these risks
Authorises implementation of procedures to satisfy new access requirements, or provide effective interfaces between users and service providers
Works with Sainsbury’s Legal team to ensure Data protection regulation is supported by all IT systems and processes
Reports effectiveness of information security against industry standards and agreed KPI’s, along with Security Incident Response Plans
Liaises with industry and national bodies (including regulators and auditors) to ensure the appropriateness of the information security function, e.g. PCI compliance
How I will succeed
All Products will be subjected to the appropriate Security Testing
Products remain compliant with the relevant standards and regulations throughout their lifecycle
Vulnerabilities are remediated and any residual risk is managed appropriately
Customer and Colleague feedback
Recognised as an Information Security SME
Continuous personal development
Fulfilling team and personal goals
What I need to know
Extensive knowledge of OWASP vulnerabilities, tools and methodologies
Experience of performing mobile security assessments (Android – iOS)
Experience of performing Infrastructure Assessments and Security Reviews on Windows/Linux environments and Databases
Experience of performing Red Team activities and knowledge of relevant frameworks
Extensive knowledge of HTTP, PCI ASV and SSDLC
Demonstrates extensive knowledge of good security practice covering the physical and logical aspects of information products, systems integrity and confidentiality
Expert in methods and techniques for risk management, business impact analysis, countermeasures and contingency arrangements relating to the serious disruption of IT services
Expert in tools or systems which provides access security control (i.e. prevents unauthorised system access)
Strong current knowledge of PCI, DPA and ISO27001
What I need to show
At least one of the following information security testing certifications OSCP, GIAC or CREST (CRT or CCT)
Current Information Security qualifications/certifications e.g. CISSP, CISM, CRISC, CEH etc desirable but not essential
Experience using web application vulnerability scanning tools (e.g., Qualys WAS, IBM AppScan, HP Web inspect etc)
Experience of using (SAST) Static Application security testing /Source Code Analysis tools such (e.g. HP Fortify, Veracode, Checkmarx)
Ability to write penetration test reports for technical and non-technical audiences
Ability to work on own with minimal supervision and deliver on time to budget
Ability to think methodically and logically situations, problem solve and communicate well using spoken and written word
Has expert awareness of problem solving procedures used for business-critical IT incidents, and a good awareness of their implications for a retail business
Remains visible to customers as the face of Security Testing to listen to their concerns and share these with others
Ability to take responsibility, own the issue, resolve it (get the required result) and recognises how individual responsibility impacts team delivery
Works collaboratively with a range of Teams/People to support the wider business needs
Ability translate complex/technical issues clearly to meet the needs of the audience
Ability to balance the benefits of optimised security with the cost of providing it, to promote the best overall interests of the business
Resources available to me
Information Security Management Team
Wider team of colleagues assigned to information security management structured into functional areas i.e. Policy & Risk, Compliance, Product Assurance, Security Testing and Security Architecture and Operations
Third Party contractors (as appropriate) to complete penetration testing of systems
Security Product Owners, Security Architects, Solution Designers, various Data Working Groups including Customer, Colleague, Finance etc.
Industry and national bodies (as appropriate)
What decisions I can make
Testing strategies and plans for appropriate security testing
Determine appropriate controls to remediate vulnerabilities
Select the Gross and Net risk scores as part of the risk management process
Significant freedom to contribute to team processes
Apply now to have the opportunity to be considered for similar jobs at leading companies in the Seen network for FREE.
Zero stress and one profile that can connect you directly to 1000s of companies.
We’ll take it from there. After you tell us what you’re looking for, we’ll show you off to matches.
Boost your interview skills, map your tech career and seal the deal with 1:1 career coaching.
Join now and be seen.